Fixed in trunk r63728.
There was a problem with the code on normal architectures as well.
The input was a size_t while the output was an int. So an integer
overflow could have happened going from the vsnprintf return value to
the integer since size_t is unsigned and int isn't (also when size_t is
a larger type than an int).
I don't think that would lead to memory corruption when using the
system's vsnprintf but it could have bad results if the caller expected
str to be null terminated properly.
I will backport this to release25-maint.